Kathleen Hamann, on Lessons for the Private Sector

Wall Street Journal

Kathleen Hamann, a partner at the law firm White & Case LLP, spent years working in the Foreign Corrupt Practices Act unit of the U.S. Justice Department. Prior to that, she worked in the U.S. State Department on anti-corruption issues. She recently left the government for private practice, and in this Q&A discusses the lessons she teaches companies based on her experience. The conversation was condensed and edited for clarity.

Kathleen Hamann

When did you leave DOJ and join the firm?

Ms. Hamann: I left Justice on Jan. 10, and I started at the firm Jan. 13.

Is there a cooling off period?

I don’t have the cooling off period because I wasn’t a supervisor. I can’t get involved in anything I was directly involved in or advised on, but I don’t have the one-year waiting period before I can appear before the department.

Have you appeared before DOJ since leaving?

I’ve made a couple of phone calls but nothing like a big meeting or anything like that.

Tell me what companies should take from your time at the Justice Department now that you’re advising them on how to fulfill the requirements of an FCPA compliance program.

The first thing I would say is that companies shouldn’t just be thinking about the FCPA. There’s been such a proliferation of transnational bribery laws and domestic bribery laws that you may not [just] have an FCPA issue. You also have to think about the U.K. Bribery Act, you may have to think about the Corruption of Foreign Public Officials Act in Canada, [among others.]

A lot of the laws in other countries have complete defenses to liability for having a good compliance program in place. Having a good compliance program ahead of time not only helps prevent misconduct, but it also puts the company in a better position if something does go wrong. There are points all the way where a good compliance program and strong remediation can either stop an investigation, or really mitigate the consequences of the investigation, both in terms of the penalty and in terms of the reputational risk the company will take.

In four months since leaving the Justice Department, have you noticed companies having that holistic view, or are you finding yourself having to teach it to them?

Companies come in all shapes and sizes, and while some are more sophisticated and understand it, others really still think it’s an all-FCPA world.

An example from my time at DOJ that many people aren’t aware of is a situation where a company was acquiring another company in a fast acquisition, and they didn’t have time to do all the due diligence. They figured out pretty quickly after the acquisition that there was something badly wrong in the company they acquired, but the [buying company] had a pretty good compliance program, which they pushed out quickly, remediated and told the government what happened. This was in the U.S. Nobody knows the company’s name; they were never charged, only individuals faced charges. They had no reputational impact because nobody ever really knew it was them. They had no corporate consequences: There was no fine, they faced no prosecution.

That’s sort of the ideal. But now you have to not only think about doing that in the FCPA context, you have to think about doing that under other applicable laws.

What do you tell companies about self-reporting allegations to the authorities?

I think it’s a much more complicated question than even five years ago. It used to be that you disclose to the Justice Department and the SEC; you deal with them and it’s over. But now: How many different jurisdictions do you need to disclose to? What if it’s a country with no mechanism for voluntary disclosure, or no mechanism to reward voluntary disclosure?

I also think there’s a perception that your only two choices are to voluntarily disclose, lay down and cooperate, and give the department everything it asks for — or fight from day one. Those aren’t the only two options. There are stages of cooperation where you can get full credit, without accepting everything that is said by the government as gospel.

You want to minimize disruption to your business operations , which can be one of the best incentives for voluntary disclosure. The U.S. generally doesn’t do things like seize servers, but others do. It’s incredibly disruptive to business operations to have foreign law enforcement take your in-country server. There has to be a very clearheaded assessment of what jurisdictions are involved, how complicated voluntary disclosure will be and what the genuine benefits and risks are of the disclosure are.

Over the past year financial institutions have become a much greater focus generally. I think they’ve focused very heavily on the know-your-customer rules and all the new money laundering standards but I think there’s been a little bit of tunnel vision. [They need to] broaden their perspectives and, again, have holistic approaches to compliance where sanctions feeds into kn0w-your-customer feeds into anti-bribery compliance. There are efficiencies of scale to be had there, rather than setting up all kinds of systems.

A lesson that can be learned is: If your compliance system is too complicated, people will go around it. It needs to be easy to understand. People need to know who to call; they need to know how it works. You need to make it as easy on the businesspeople as possible so they just see it as a step rather than an obstacle, and they’ll do what needs to be done. Otherwise, I think you’ll drive things underground.

One of the most important lessons for financial institutions is to not wait for some regulator to come knocking on your door. If your competitors are being investigated for a certain kind of behavior in a market or in a product that you do a lot of business in, it might be a good time to make sure your own house is in order – even if you have a good compliance program.

Write to Samuel Rubenfeld at Samuel.Rubenfeld@wsj.com. Follow him on Twitter at@srubenfeld.

For many financial services firms, work remains to operationalize the governance structures they have adopted. Further, expectations regarding governance have shifted: Stakeholders now see boards as more accountable for the effectiveness of their overall governance process. This shift is real, and it is significant. It will likely amount to an expectation of greater board involvement in the means by which governance is effected, and for more active oversight by the board and its committees.

Search for Risk & Compliance Report Articles

About Risk & Compliance

Risk & Compliance provides news and commentary to corporate executives and others who need to understand, monitor and control the many risks that can tarnish brands, distract management and harm investors. Its content spans governance, risk and compliance and includes analysis of the significance of laws and regulations, the risks inherent in global expansion and the protective moves taken by companies.